This newsletter summarizes the latest developments in cybersecurity and data protection in China with a focus on the legislative, enforcement and industry developments in this area.
If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at James.gong@twobirds.com.
Key Highlights
On 22 February 2023, the Cyberspace Administration of China (CAC) released the long-awaited standard contract for personal information export (the “Standard Contract”) and an accompanying regulation, seven months after it published the first draft for consultation. The Regulation takes effect from 1 June and provides for a six-month rectification period.
The Standard Contract and the accompanying regulation complete the Chinese regulatory framework for Personal Information Export. Whilst the Standard Contract in China bears many similarities with the Standard Contractual Clauses under the GDPR, the data importers and exporters are required to sign the Standard Contract in the form as released by the CAC without any changes, and additional terms must not contradict with the Standard Contract.
Personal information processors in China are recommended to take the following actions to ensure compliance with the Standard Contract and the accompanying regulation:
- Identify the personal information export data flows and the importers;
- Amend existing cross-border data transfer documents to reflect the changes;
- Notify and discuss with the importers about signing the Standard Contract;
- Conduct the Personal Information Protection Infulence Assessment (the “PIPIA”) in relation to the personal infoamrtion export and remediate any gaps and risks identified;
- Execute the Standard Contract; and
- File the PIPIA report and the signed Standard Contract with the CAC.
Please see our detailed comments by clicking the links in the section below.
Our Views
China’s Data Export Framework Completed with Release of Standard Contract
Follow the links below to view the official policy document on the People’s Republic of China Government websites.
Legislative Developments
1. CAC issued Measures on Standard Contract for Export of Personal Information
On February 24, the CAC announced the Measures on Standard Contracts for the Export of Personal Information (the “Measures“), which shall come into effect on June 1, 2023. The Measures aim to implement the provisions of the Personal Information Protection Law, protect the rights and interests in personal information, and regulate the export activities of personal information. The Measures are applicable when a personal information processor seeks to transfer personal information outside of China by entering into a Standard Contract. According to the Measures, the conclusion of the Standard Contract should be filed, and it is important to protect the rights and interests of the data subjects while preventing risks so that cross-border data transfers can be carried out safely. The Measures provide the scope of application of the Standard Contract for the export of personal information, the specific conditions and filing requirements of the Standard Contract, and a template for the Standard Contract, as well as detailed guidelines.
2. CPC Central Committee and State Council issued Overall Layout Plan of Building Digital China
On February 27, the Central Committee of the Communist Party of China (CPC) and the State Council issued the Overall Layout Plan of Building a Digital China (the “Plan“). The Plan points out that building a digital China is an important engine for advancing Chinese-style modernization in the digital era and a powerful tool for gaining new competitive advantages in the international arena. The Plan proposes that, by 2025, the digital infrastructure will be efficiently connected across a wide range of sectors, and important progress will be made in the construction of a digital China. According to the Plan, the construction of a digital China will be laid out according to the overall framework of “2522”as follows:
- to consolidate the “two foundations” of digital infrastructure and data resource systems;
- to promote the integration of the digital economy and the “five industries” including the economy, politics, culture, society, and ecological civilization;
- to strengthen the “two capabilities” of the digital technology innovation system and the digital security shield; and
- to optimize the “two environments” of domestic and international digital development.
On February 28, the Ministry of Industry and Information Technology (MIIT) issued the Notice of the MIIT on Further Improving Mobile Internet Application Service Capability (the “Notice“). The Notice puts forward 12 measures to improve user service perceptions on issues such as app installation and uninstallation, service experience, personal information protection, and response to requests. The Notice also includes 14 restrictive measures for app developers and operators, distribution platforms, SDKs (software development kits), terminals, and access service providers.
On February 7, the China Securities Regulatory Commission (CSRC) released a recommended standard for the financial industry, namely Interior Interface for Securities and Futures Industry – Information Data (JR/T 0275-2023) (“Recommended Standard”), which became effective on the date of its publication. The Recommended Standard aims to regulate the internal interfaces of the information and data systems of financial institutions by establishing requirements for data fields, formats, and interaction protocols of the data interfaces based on the interaction of data between core business modules. It will serve as an important guide for financial institutions to build effective internal information systems and realize cross-platform resource sharing.
5. CMA released new Catalogue of Sharing of Basic Meteorological Data
On February 6, the China Meteorological Administration (CMA) released the new Catalogue of Sharing of Basic Meteorological Data (the “Catalogue“), which covers 52 types of meteorological data and products in 12 categories. The new Catalogue is a significant upgrade from the previous edition in 2015. The number of data types has increased from 17 in 5 categories to 52 in 12 categories, with the addition of global marine meteorological data, live analysis and reanalysis products, and weather forecast products related to typhoons, oceans, and severe convective storms. Many high-quality and valuable data products have been included to the Catalogue as a result of technological progress, e.g., China’s global weather numerical forecast model and the global atmosphere reanalysis product that fills a gap in the field. The Catalogue also encompasses data products with longer time series that can span up to 40 years, which will provide a useful resource for climate change research.
6. SPB adopted in principle Regulation on Administration of Personal Information Security of Users of Postal and Courier Services (Draft for Review)
On February 6, the State Post Bureau (SPB) held an executive meeting, during which the Regulation on the Administration of Personal Information Security of Users of Postal and Courier Services (Draft for Review) (the “Regulation”) was deliberated and adopted in principle. It was stressed at the meeting that the protection of users’ personal information is a matter of national security, public safety, and the safety of people’s lives and property. The revision of the Regulation is both a move to implement the government’s policies and decisions and a response to the challenges facing the industry in protecting personal information. The meeting called for further efforts to work with the relevant authorities to crack down on leaks, purchases, and sales of users’ personal information and other violations in accordance with the law and to implement the supervision responsibilities of the postal authorities by urging postal and courier companies to strengthen network security, data security, and personal information protection. The meeting also underlined the importance of enhancing enterprises’ accountability for information security protection, promoting the use of efficient technology, strengthening the monitoring of personal information security in real time, and preventing major security risks and breaches.
On February 17, the Development and Reform Commission (DRC) of the Shenzhen Municipality released the Interim Measures for the Administration of Data Property Rights Registration in Shenzhen (Draft for Comments) (the “Shenzhen Measures“) to further regulate the registration of data property rights, protect the legitimate rights and interests of the participants of the data element market, and promote the flow, development, and utilization of data as a factor of production. The Shenzhen Measures for comments include 33 articles and provide the rights and obligations of the registrants. According to the Shenzhen Measures, the registrants are entitled to possess data resources, to process and use data, and to operate data products in accordance with laws and regulations and contractual arrangements; the registrants have the right to obtain the registration certificates for data resources or data products and data resources licenses subject to the approval of the registration authority, which will serve as an important basis for data transactions, financing mortgages, the inclusion of data assets on the balance sheet, accounting procedures, and dispute arbitration.
On February 17, the Hangzhou Data Resources Administration issued the Implementation Plan for the Authorized Operation of Public Data in Hangzhou (Trial) (Draft for Comments) (the “Hangzhou Plan“) in a move to accelerate the orderly development and utilization of public data and cultivate the data element market. The Hangzhou Plan proposes (1) to establish the preliminary mechanism for public data authorization and operation; (2) to build a comprehensive evaluation system for the authorized operation; (3) to release the first catalogue of authorized public data resources; (4) to complete the development of the platform for the authorized operation of public data; (5) to form the preliminary models for operation management, product pricing, revenue distribution, and technical standards; and (6) to carry out substantive authorized operation by the end of 2023.
Enforcement Developments
9. MIIT released List of MIIT Administrative Enforcement Items (2022 Edition) with data security-related enforcement items addedOn February 8, the MIIT released the List of MIIT Administrative Enforcement Items (2022 Edition) (the “List“) in accordance with the requirements of the Interim Implementation Plan for the MIIT to Fully Implement the Administrative Law Enforcement Publicity System, the Record System for the Entire Law Enforcement Process, and the Legal Review System for Major Law Enforcement Decisions. In compiling the List, the MIIT also took into account the latest revision of relevant laws and regulations and the practice of administrative enforcement. The List contains 296 items, including 38 on network security, 15 on data security, and 4 on personal information protection. In total, there are 45 items related to administrative penalties and 12 related to administrative inspections.
10. MIIT reported 46 apps for unlawful collection of personal information and other violations
On February 8, the MIIT released a list of 46 apps (SDKs) found to have infringed on users’ rights and interests after engaging a third-party testing agency to inspect popular mobile apps for everyday life and third-party SDKs under the Personal Information Protection Law, the Cyber Security Law, the Telecommunications Regulations, and the Provisions on the Protection of Personal Information of Telecommunications and Internet Users. The MIIT stressed that the relevant app and SDK operators should complete the rectification in due course.
On February 27, the MIIT released a list of 29 pilot typical cases and 5 model regions in accordance with the Notice of the MIIT General Office on Organizing the Selection of Pilot Model Cases and Regions for Data Security Management in the Industrial Sector. The list was announced after the cases had been submitted, reviewed, and made available for public comment online.
12. SHCA issues practical Q&A on data export security assessment declaration (II)
On February 1, in response to recent queries and common problems encountered during completeness checks, the Shanghai Cyberspace Administration (SHCA) issued the practical Q&A (II) based on the Measures of Security Assessment for Data Export and the Guidelines on Data Export Security Assessment Declaration (Version 1). The Q&A addresses the common questions raised in the data export security assessment declaration, including how to prepare the power of attorney and commitment letter for the handler and what to consider when drafting the data export risk self-assessment report.
On February 24 it was reported that, in accordance with the Data Security Law and the Administrative Measures for Data Security in the Field of Industry and Information Technology (for Trial Implementation) and the requirements of the MIIT, the Shanghai Communications Administration (SCA) had established a list of key enterprises for data security risk prevention and control in the city to strengthen the management of data security in the telecoms and Internet industry. Ten key companies in the sector have completed the identification and catalogue filing of the important data and core data accordingly, including Shanghai Telecom, Shanghai Mobile, Shanghai Unicom, Orient Cable Network, Pingduoduo, Ctrip, Bilibilli, Dewu, Xiaohongshu, and Himalaya.
Recently, the Beijing Intellectual Property Court concluded an unfair competition case involving the misappropriation of data information from another website. According to the plaintiff, the defendant company engaged in unfair competition by copying and displaying on its own website more than 50,000 pieces of user complaint information obtained from the plaintiff’s site. The court of first instance held that the defendant’s conduct constituted unfair competition under Article 2 of the Anti-Unfair Competition Law. The defendant and its legal representative appealed to the Beijing Intellectual Property Court, which rejected the appeal and upheld the original judgment on the grounds that the defendant’s conduct was unfair competition.
Industry Developments
On February 21, Foreign Minister Qin Gang attended the opening ceremony of the Lanting Forum themed “The Global Security Initiative: China’s Proposal for Solving Security Challenge” and delivered a keynote speech. As stated by Qin Gang, the Chinese government has launched the Global Data Security Initiative to develop global rules for digital governance that reflect every country’s wish and respect the interests of all sides. In addition, China will continue to promote the implementation of the China-League of Arab States Cooperation Initiative on Data Security and the Data Security Cooperation Initiative of China+Central Asia to jointly combat cyber threats and establish a system of global cyberspace governance that is open, fair, stable, and vibrant.
16. CSAC released Self-Regulatory Convention on Personal Information Protection
On February 1, the Cyber Security Association of China (CSAC) published the Self-Regulation Convention on Personal Information Protection (the “Convention“) in its efforts to promote the implementation of the Personal Information Protection Law, to protect the legitimate rights and interests of the majority of Internet users, and to fully utilize the role of industry self-regulation. In July 2022, CSAC organized the signing of the Convention among its member organisations and other key stakeholders to enhance the awareness of personal information protection and promote the comprehensive management of personal information protection. Nearly 200 organisations have signed the Convention to date.
17. CSAC released test report on collection of personal information by online shopping apps
On February 2, the CSAC and the National Computer Network Emergency Response Technology Coordination Center conducted a test to assess the collection of personal information by various popular apps for online shopping. The test examined the top 10 most-downloaded online shopping apps from across19 app stores. The content of the test included system permission requests, personal information uploads, and network traffic usage for uploads. <
On February 13, the Guangdong Provincial Communications Administration issued the Notice on the Administrative Inspection of Network Data Security and Application Compliance in the Telecommunications and Internet Industry in Guangdong Province in 2023 (the “Guangdong Notice“). With immediate effect, administrative inspections will be conducted to ensure network security, data security, personal information, mobile smart terminals, and Internet application compliance within the province in the telecommunications and internet industry.
On February 9, the top 10 development trends of network security in 2023 was unveiled in a conference held by the Technical Committee of Computer Security of the China Computer Federation in Beijing. The forecast result was decided by a vote of the committee members, which included national network security authorities, universities, research institutes, relevant ministries, major central enterprises, and private enterprises. Among the top trends shaping the future of the area are “data security governance becoming the cornerstone of the digital economy”, “critical information infrastructure protection becoming an industry growth point”, and “data security industry ushering in high growth”.